A short overview of Android banking malware

As more and more people use their mobile phones to do their online banking, money transfers, and so on, cyber crooks wielding banking malware are increasingly turning to targeting mobile users.

“Banking Trojans on mobile were largely successful targeting older generation operating systems like J2ME and Blackberry, but haven’t made the headway they’d probably like to on Android and iOS,” says Malwarebytes’ Armando Orozco.

In fact, as far as he knows, no banking Trojans for the iOS platform have been discovered yet, most probably because it’s extremely difficult to sneak in malware into Apple’s App Store.

But while Android malware still mostly concentrates on SMS fraud, banking Trojans are not wholly unknown.

“ZitMo, SpitMo and CitMo are the mobile cousins of Zeus, SpyEye, and Citadel, three infamous banking Trojans affecting Windows,” says Orozco. “They’ve all made a splash on Android and have had some success.”

They function by intercepting the text messages containing mTANs (mobile transaction authentication numbers) – an additional way to assure the security of the users’ online banking transactions – and sending them to remote servers for the attackers to use to impersonate the victims and drain their accounts.

Zitmo has been known to masquerade as a security solution for Android, and it works in conjunction with the Windows-based Trojan, which is capable of injecting an additional form during the users’ banking session, asking victims to share their phone number and model.

SpitMo and CitMo work in a very similar manner.

Hesperbot’s mobile version is a very recent addition to the group. It spreads via phishing emails and, it’s interesting to note, tries to infect Android devices, but also those running Symbian and Blackberry.

The PC malware has keylogging capabilities, can take screenshots and hijack the phone’s camera to capture video, set up remote proxies, etc., and captures the victim’s phone number so that it could deliver the mobile Trojan component via a link in an SMS. Once the mobile version is installed, it works same as Zitmo and the others: by intercepting text messages carrying authentication codes.

Perkel is another financial malware targeting Android users. The PC version of the malware acts as Hesperbot’s, with the difference that it prompts users to install a security certificate and request their phone number upfront. The mobile component is, likewise, delivered via SMS.

An interesting thing that the researchers noted is that the digital certificate of a variant of the Perkel malware was signed to make it look like the app was created by a legitimate US security company.

“This also points out how open the Android playground is, anyone can sign their app any way and there is no verification,” says Orozco.

“Remember to exercise caution when using mobile banking apps and try to avoid accessing your bank accounts over insecure and / or public networks,” he finally warns. “If you are unsure that an app is from your bank, it never hurts to check with them before installing it.”

Don't miss